FAT

From Digital Forensics Framework

Jump to: navigation, search

Warning.png

This page is currently being rewritten. Consequently, some information are outdated, missing or inexact.

  • Synopsis : fat path [--parent parent]

Contents

Start

Driver for FAT (File Allocation Table) file systems. To use the Fat module, you must have a dump already loaded in DFF virtual file system.

To start the Fat driver, you must double-click on the fat dump or go to the menu Open with -> File system -> Fat.

Launch fat.png

A pop-up will spawn, where you can choose to carve unallocated space. The default value is set to True. Deactivate this option can accelerate a bit the execution of the Fat driver.

Apply fat.png

Once this is done, you can click the OK button to start the fat driver, or Cancel if you wish to cancel executing it.

Results

The driver will rebuild the fat file system and retrieve deleted data. Recovered deleted file names appear in red. A directory Unallocated cluster will be created at the root, containing the list of unallocated clusters. Extended attributes can also be visualized.

Results fat.png Attr fat.png
Retrieved from "http://wiki.digital-forensic.org/index.php?title=FAT&oldid=1672"